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ABSTRACT 



A method for authenticating an authorized user to multiple 
computer servers within a distributed computing environ- 
ment after a single network sign-on is disclosed. In accor- 
dance with the method and system of the present invention, 
an authentication broker is provided within the distributed 
computing network. The authentication broker first receives 
an authentication request from a workstation. After a deter- 
mination that the authentication request is valid, the authen- 
tication broker then issues a Kerberos Ticket Granting Ticket 
to the workstation. At this point, if there is a request by the 
workstation for accessing a Kerberos Ticket-based server 
within the distributed computing network, the authentication 
broker will issue a Kerberos Service Ticket to the worksta- 
tion. Similarly, if there is a request by the workstation far 
accessing a passticket-based server within the distributed 
computing network, the authentication broker will issue a 
passticket to the workstation. Finally, if there is a request by 
the workstation for accessing a password-based server 
within the distributed computing network, the authentication 
broker will issue a password to the workstation. By this, 
accesses to all of the above servers within the distributed 
computing network can be granted via a single network 
authentication request 

15 Claims, 6 Drawing Sheets 
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M ETHOD AND SYSTEM FOR 
AUTHENTICATING USERS TO MULTIPLE 
COMPUTER SERVERS VIA A SINGLE SIGN- 
ON 

The present invention was developed with the support of 
the U.S. Government under Contract No. 94-P1 90800-000. 
the U.S. Government has certain rights in this invention. 

BACKGROUND OF THE INVENTION 

1. Technical Field 

The present invention relates to a method and system for 
data processing in general and, in particular, to a method and 
system for processing sign-on requests within a distributed 
computer network. Still more particularly, the present inven- 
tion relates to a method and system for authenticating an 
authorized user with respect to multiple computer servers 
within a distributed computing environment after a single 
network sign-on. 

2. Description of the Prior Art 

In a multiuser computer system, identification and authen- 
tication mechanisms are essential for identifying and authen- 
ticating each individual who requests any usage of system 
resources. The most common implementation of such 
mechanisms is a user identification (ID) along with a pass- 
word. Thus, each multiuser computer system contains, as a 
minimum, a unique sign-on ID for each registered user to the 
system. This allows for accountability of system usage down 
to an individual. 

However, when such user identification and authentica- 
tion implementation methodology is extrapolated to more 
than one computer system within a distributed computing 
environment a user must repeatedly provide a user ID along 
with an appropriate password in order to gain access to each 
computer system, For a user who wishes to gain access to 
several services, each provided by a different computer 
system, within a single session, this repetitious sign-on 
procedure tends to be very tedious if not annoying. 
Especially, in most cases, the user ID and password to each 
computer system within the distributed computing environ- 
ment are so distinctive that it is very inconvenient for the 
user to remember several unique user IDs and passwords. 
Further, in order to sign-on remotely, the user ID and 
password must be transmitted to a remote computer system. 
Without a secure path between the user's computer system 
and the remote computer system, anyone who has access to 
the distributed computing environment could use a network 
analyzer to discover the user ID and password of the user. As 
such, the effectiveness of the sign-on procedure as a means 
of security measure may be undermined. 

One solution for single sign-on and authentication in a 
distributed computing environment is known as "Kerberos." 
Kerberos is an authentication protocol developed as part of 
Project Athena at Massachusetts Institute of Technology. 
Kerberos provides an excellent platform for single sign-on 
and authentication in an open network environment 
Unfortunately, Kerberos support is not transparent and 
requires various custom modifications to the applications as 
well as the system utilities by a way often referred to as 
"Kerberizing." As the popularity of Kerberos grows in 
recent years, many operating systems and application ven- 
dors are beginning to provide support for Kerberos, but this 
support is far from universal. For this reason, it is not 
possible to solely rely upon Kerberos as the only means for 
single sign-on in a distributed computing environment 

Other solutions include a sign-on product known as 
"TPX" by Legion Technologies Corporation. TPX is a 
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mainframe product for a MVS/VM processing environment 
TPX provides automated sign-on to all MVS sessions within 
a distributed computing environment after an initial authen- 
tication to the host computer system. However, TPX also 

5 only produces an homogeneous solution, aside from the fact 
that it is still relatively expensive to implement 

Consequently, it would be desirable to provide a method 
and system for authenticating an authorized user to all 
computer servers within a distributed computing environ- 

10 ment that are available to the authorized user after a single 
network sign-on while without sacrificing network security. 

SUMMARY OF THE INVENTION 

In view of the foregoing, it is therefore an object of the 

15 present invention to provide an improved method and sys- 
tem for data processing. 

It is another object of the present invention to provide an 
improved method and system for processing sign-on 
requests within a distributed computer network. 

It is yet another object of the present invention to provide 
an improved method and system for authenticating an autho- 
rized user to multiple computer servers within a distributed 
computing environment after a single network sign-on. 

25 In accordance with the method and system of the present 
invention, an authentication broker is provided within the 
distributed computing network. The authentication broker 
first receives an authentication request from a workstation. 
After a determination that the authentication request is valid, 

30 the authentication broker then issues a Kerberos Ticket 
Granting Ticket to the workstation. At this point if there is 
a request from the workstation for accessing a Kerberos 
Ticket-based-server within the distributed computing 
network, the authentication broker will issue a Kerberos 

35 Service Ticket to the workstation. Similarly, if mere is a 
request from the workstation for accessing a passticket- 
based server within the distributed computing network, the 
authentication broker will issue a pass ticket to the worksta- 
tion. Finally, if there is a request from the workstation for 

40 accessing a password-based server within the distributed 
computing network, the authentication broker will issue a 
password to the workstation. By this, accesses to all of the 
above servers within the distributed computing network can 
be granted via a single network authentication request 

45 All objects, features, and advantages of the present inven- 
tion will become apparent in the following detailed written 
description. 

BRIEF DESCRIPTION OF THE DRAWINGS 

50 The invention itself, as well as a preferred mode of use, 
further objects, and advantages thereof, will best be under- 
stood by reference to the following detailed description of an 
illustrative embodiment when read in conjunction with the 
accompanying drawings, wherein: 

FIG. 1 is a pictorial representation of a distributed com- 
puting network in which a preferred embodiment of the 
present invention may be utilized; 
FIG. 2 is an illustration of various types of authentication 

^ schemes by which a computer server can be utilized within 
the distributed computing network of FIG. 1; 

FIG. 3a is a high-level flow diagram of the authentication 
protocol for Kerberos Ticket-based servers, according to a 
preferred embodiment of the invention; 

65 FIG. db is a high-level flow diagram of the authentication 
protocol for passticket-based servers, according to a pre- 
ferred embodiment of the invention; 
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FIG. 3c is a high-level flow diagram of the authentication 
protocol for password-based servers, according to a pre- 
ferred embodiment of the invention; and 

FIG. 4 is a high-level logic flow diagram of a method for 
authenticating sign-on requests to multiple computer 
servers, in accordance with a preferred embodiment of the 
invention. 

DETAILED DESCRIPTION OF PREFERRED 
EMBODIMENT 

The present invention may be applicable to a variety of 
distributed computing networks, such as a local-area net- 
work (LAN) or a wide-area network (WAN), under a num- 
ber of different operating systems. The computers within the 
distributed computing networks may be personal computers, 
mini-computers, or mAinfrniTM' computers. 

Referring now to the drawings and in particular to FIG. 1, 
there is depicted a pictorial representation of a distributed 
computing network 100 in which a preferred embodiment of 
the present invention may be utilized. As shown in FIG. 1, 
distributed computing network 100 may include a plurality 
of local networks, such as LANs 10 and 20, each of which 
preferably includes a plurality of computers 12 and 22, 
respectively. Of course, those skilled in the art will appre- 
ciate that a plurality of Intelligent Workstations coupled to a 
host processor may also be utilized for each of LANs 10 and 
20. Each of computers 12, 22 may be coupled to a storage 
device 14 and/or an output device 16. One or more of storage 
devices 14 may be utilized to store various types of infor- 
mation within distributed computing network 100. 

Still referring to FIG. 1, distributed computing network 
100 may also include several mainframe computers, such as 
mainframe computer 18 and mainframe computer 26. As 
shown, mainframe computer 18 is coupled to LAN 10 by 
means of communications link 17. Mainframe computer 18 
is also coupled to a storage device 15 which may serve as a 
remote storage for LAN 10. LAN 20 is coupled to LAN 10 
via gateway server 28, communications links 24, 34, and 
mainframe computer 26 which serves as a communications 
controller. Gateway server 28 may be a computer or an 
Intelligent Workstation. Mainframe computer 18 may be 
situated in a location mat is very far from LAN 10. Similarly, 
LAN 10 may be situated in a location that is also very far 
from LAN 20. For example, LAN 20 may be located in 
California, while LAN 10 may be located in Texas, and 
mainframe computer 18 may be located in New York. 

With reference now to FIG. 2, there is illustrated various 
types of authentication schemes which a computer server 
can utilize within distributed computing network 100 of 
FIG. 1. As shown* a password-based server 36, a passticket- 
based server 37, and a Kerberos ticket-based server 38 are 
connected to a network communication link 7. In addition, 
a workstation 35 and an authentication server 39 are also 
connected to network communication link 7. 

For the purpose of illustrating the present invention, the 
disclosed method is intended to allow a user to gain access 
to a password-based server 36, a passticket-based server 37, 
and a Kerberos ticket-based server 38 within the distributed 
computing network by simply utilizing a single sign-on at 
workstation 35. However, it is understood by those skilled in 
the art that the disclosed method is also applicable to a 
multiple of any or all of the above-mentioned servers. First, 
the userjs nters a user ID along with an appreciate password 
a7workst atfon_35^^ Between workstation 35 

and authentication server 39 is then established. The authen- 
tication of the user ID and password is subsequently 
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attempted by an authentication broker 34, and if correct, the 
authenti cation is achieved. This permits an open session to 
cccurSuch that the usermay utilize all services provided by 
Kerberos Ticket-based server 38. At a later time, if the user 

5 desires to utilize the services offered by passticket-based 
server 37 and/or password-based server 36, the subsequent 
sign-on information is automatically provided by authenti- 
cation broker 34 for authentication server 39. Accordingly, 
access to passticket-based server 37 and password-based 

1Q server 36 is obtained without the additional input of a user 
ID and password for these servers. 

Referring now to FIG. 3o, there is depicted a high-level 
flow diagram of the authentication protocol for Kerberos 
Ticket-based servers, according to a preferred embodiment 

15 of me mvemaorL Initially, a user signs on with a user ID and 
an associated password at workstation 35. An authentication 
request is sent to authentication broker 34 with the user ID 
and the password. If the user is an authorized user, authen- 
tication broker 34 then sends a Kerberos Ticket Granting 

20 Ticket (KTGT) back to requesting workstation 35. At this 
point, if workstation 15 would desire services from a Ker- 
beros Ticket-based server 38, workstation 35 has to send the 
ICFGT to authentication broker 34 to exchange for a Ker- 
beros Service Ticket (KST) in order to gain access to 

25 Kerberos Ticket-based server 38. If there are more Kerberos 
Ticket-based servers in the distributed computing network 
that the user at workstation 35 would like to access during 
a same session, the same KTGT will be sent to authentica- 
tion broker 34 in order to exchange for another KST to gain 

30 access to these Kerberos Ticket-based servers. Each Ker- 
beros Ticket-based server requires a new and separate KST 
for access. 

Referring now to FIG. 3b, mere is depicted a high-level 
flow diagram of the authentication protocol for passticket- 

35 based servers, according to a preferred embodiment of the 
invention. If workstation 35 would desire a service from a 
passticket-based server 37, workstation 35 has to send the 
KTGT to authentication broker 34 to exchange for another 
KST. In turn, this KST is sent back to authentication broker 

40 34 to exchange for a passticket in order to gain access to 
passticket-based server 37. Similarly, if there are more 
passticket-based servers In the distributed computing net- 
work that workstation 35 would like to access during the 
same session, the same KTGT will be sent to authentication 

45 broker 34 in order to exchange for another KST and pas- 
sticket to gain access to these passticket-based servers. Each 
passticket-based server requires a separate passticket for 
access. 

Referring now to FIG. 3c, there is depicted a high-level 
so flow diagram of the authentication protocol for password- 
based servers, according to a preferred embodiment of the 
invention. If workstation 35 would desire a service from a 
password-based server 36, workstation 35 has to send the 
KTGT to authentication broker 34 to exchange for another 
55 KST. In turn, this KST is sent back to authentication broker 
34 to exchange a password in order to gain access to 
password-based server 36. Similarly, if there are more 
password-based servers in the distributed computing net- 
work that workstation 35 would like to access during the 
60 same session, the same KTGT will be sent to authentication 
broker 34 in order to exchange for another KST and pass- 
word to gain access to these password-based servers. Each 
password-based server requires a separate password for 
access. 

65 Referring now to FIG. 4, there is illustrated a high-level 
logic flow diagram of a method for authenticating sign-on 
requests to multiple computer servers, in accordance with a 
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preferred embodiment of the invention. Starting at block 40, 
a user ID and a password are collected from a user at the 
workstation. The user ID along with the password are then 
sent to the authentication broker, as shown in block 41. The 
user ID and the password information are accepted by the 
authentication broker for authenticating the validity of the 
user, as illustrated in block 42. A determination is then made 
as to whether or not the user js an authorized user, as 
depicted in h1ork41. If t fee user is no t an authorized user, jhe^ 
pro cess is abo rt ed, asshown in blQc£~99COmcrwi seTif the 
Ijg ris an aumonzed user, a KcrberosTlcket Granting Ticke t 
(RT GT) is obtain ed from the auth entication server by J^ e 

Ticket Granting Ticket is then returned from the authenti- 
cation broker tothe requesting workstation , as depicted in 
block 45rln turn, this Kjertoeros Ticket Granting Ticket is 
subsequently sent 65fck to t he authentication broker eac h 
time a n ew server is requested py me user at the workstation 
da ring the same session, a s illustrated in block 46. After 
receiving the Kerberos Ticket Granting Ticket, this time the 
authentication broker responds by sending a Kerberos Ser- 
vice Ticket (KST) back to the requesting workstation, as 
shown in blocks 47 and 48. This KST is valid for gaining 
access to a K erberos Ticket-based serv er. 

"X^eterrnlnatioa is made at the workstation as to whether 
or not a password and/or passticket are also needed, as 
shown in block 49. If neither a password nor a passticket is 
required, the process goes to block 56. Otherwise, if either 
a password or a passticket is required (or both a password 
and a passticket are required), the Kerberos Service Ticket 
is sent to the authentication broker once again, as illustrated 
in block 50. After receiving the Kerberos Service Ticket, a 
determination is subsequently made within the authentica- 
tion broker as to whether a password or a passticket is 
needed, as shown in blocks 51 and 52. If a passticket is 
needed, the passticket is computed within the authentication 
broker, as shown in block 54 On the contrary, if a password 
is needed, a table lookup is performed by the authentication 
broker in a database containing all the passwords, as shown 
in block 53. The computed passticket and/or obtained pass- 
word are then returned back to the requesting workstation, 
as shown in block 55. At this point, the requesting work- 
station can access a server within the distributed computing 
network utilizing a Kerberos Service Ticket, a passticket or 
a password, as appropriate. 

As has been described, the present invention provides an 
improved method and system for authenticating an autho- 
rized user to multiple computer servers within a distributed 
computing network that are available to the authorized user 
after a single network sign-on. The method and system of the 
present invention are intended for accessing computer serv- 
ers that utilize passwords, passtickets, or Kerberos Tickets. 
The present invention provides the capability to exploit the 
Kerberos authentication scheme within a distributed com- 
puting environment where not all applications and computer 
servers understand the Kerberos protocols. 

WhOe the invention has been particularly shown and 
described with reference to a preferred embodiment, it will 
be understood by those skilled in the art mat various changes 
in form and detail may be made therein without departing 
from the spirit and scope of the invention. 

What is claimed is: 

1. A method for authenticating a user with respect to 
multiple computer servers within a distributed computing 
network, said method comprising: 

providing an authentication broker within said distributed 
computing network; 
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receiving an authentication request from a workstation at 
said authentication broker, 

issuing a Kerberos Ticket Granting Ticket to said work- 
station from said authentication broker after a determi- 
nation that said authenticarion request is valid; 

issuing a Kerberos Service Ticket to said workstation 
from said authentication broker in response to an access 
request from said workstation to a Kerberos Ticket- 
based server within said distributed computing net- 
work; 

issuing a passticket to said workstation from said authen- 
tication broker in response to an access request from 
said workstation to a passticket-based server within 
said distributed computing network; 

issuing a password to said workstation from said authen- 
tication broker in response to an access request from 
said workstation to a password-based server within said 
distributed computing network, such that accesses to all 
said servers are granted via a single network authenti- 
cation request 

2. The method for authenticating a user to multiple 
computer servers within a distributed computing network 
according to claim 1, wherein said step of receiving an 
authentication request further includes a step of receiving a 
user identification and an associated password. 

3. The method for authenticating a user to multiple 
computer servers within a distributed computing network 
according to claim 1, wherein said step of issuing a Kerberos 
Service Ticket furtner includes a step of exchanging said 
Kerberos Ticket Granting Ticket for said Kerberos Service 
Ticket 

4. The method for authenticating a user to multiple 
computer servers within a distributed computing network 
according to claim 1, wherein said step of issuing a pas- 
sticket further includes a step of exchanging said Kerberos 
Ticket Granting Ticket for a second Kerberos Service Ticket 
and a step of exchanging said second Kerberos Service 
Ticket for said passticket. 

5. The method for authenticating a user to multiple 
computer servers within a distributed computing network 
according to claim 1, wherein said step of issuing a pass- 
word further includes a step of exchanging said Kerberos 
Ticket Granting Ticket for a third Kerberos Service Ticket 
and a step of exchanging said third Kerberos Service Ticket 
for said password. 

6. A computer program product stored on a computer 
readable medium for authenticating a user with respect to 
multiple computer servers within a distributed computing 
network, said computer product comprising: 

program code means for receiving an authentication 
request from a workstation at said authentication bro- 
ker, 

program code means for issuing a Kerberos Ticket Grant- 
ing Ticket to said workstation from said authentication 
broker after a detennination that said authentication 
request is valid; 

program code means for issuing a Kerberos Service 
Ticket to said workstation from said authentication 
broker in response to an access request from said 
workstation to a Kerberos Ticket-based server within 
said distributed computing network; 

program code means for issuing a passticket to said 
workstation from said authentication broker in 
response to an access request from said workstation to 
a passticket-based server within said distributed com- 
puting network; 
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program code means for issuing a password to said means for issuing a Kerberos Service Ticket to said 

workstation from said authentication broker in workstation in response to an access request from said 

response to an access request from said workstation to workstation to a Kerberos Ticket-based server within 

a password-based server within said distributed com- said distributed computing network; 

puting network, such that accesses to all said servers 5 mMflc fctr iccitina _ tn caiA „^ ctot ^ ;« 

arelranted via a single network authentication request for ******* a P* 55 *** * said workstation in 

7. The^om^ter pr^L product S^SLSng a response to^ac^s^ to 
user to multiple computer servers within a distributed com- a P^cktt-tesed server within said distributed com- 
puting network according to claim 6, wherein said program puting network; 

code means for receiving an authentication request further 10 means for issuing a password to said workstation in 

includes a program code means for receiving a user identi- response to an access request from said workstation to 

fication and an associated password. a password-based server within said distributed com- 

8. The computer program product for authenticating a puting network, such that accesses to all said servers 
user to multiple computer servers within a distributed com- are granted via a single network authentication request 
puting network according to claim 6, wherein said program 15 12. The authentication broker for authenticating a user to 
code means for issuing a Kerberos Service Ticket further multiple computer servers within a distributed computing 
includes a program code means for exchanging said Ker- network according to claim 11, wherein said means for 
beros Ticket Granting Ticket for said Kerberos Service receiving an authentication request further includes a means 

^ckc*! „ . . . for receiving a user identification and an associated pass- 

9. The computer program product for authenticating a 20 wora ^ 

user to multiple computer servers within a distributed com- ^ q11 *k»^^ q ^^« « „ m 

„ ifin „ n-rJZir * A ,j a - * - A 13 « The airtientication broker for authenticating a user to 

cT g m^L aC S a X^^ Sri muluple oomputer servers witttn a distributed computing 

program code meansfor exchanging said Kerberos Ticket f ^ a ^^'° cUu ±"< J"™, ***** for 

Granting Ticket for a second Kerberos Service Ticket and a 25 issuing* *?^Se^Tlcta ^ i^des a means 

program code means for exchanging said second Kerberos for exchanging said Kerberos Ticket Granting Ticket for said 

Service Ticket for said passticket Kerberos Service Ticket 

10. The computer program product for authenticating a u ; n * authentication broker for authenticating a user to 
user to multiple computer servers within a distributed com- multiple computer servers within a distributed computing 
puting network according to c\nim {j, wherein said program 30 network according to claim 11, wherein said means for 
code means for issuing a password further includes a pro- issuing a passticket further includes a means for exchanging 
gram code means for exchanging said Kerberos Ticket said Kerberos Ticket Granting Ticket for a second Kerberos 
Granting Ticket for a third Kerberos Service Ticket and a Service Ticket and a means for exchanging said second 
program code means for exchanging said third Kerberos Kerberos Service Ticket for said passticket 

Service Ticket for said password. 35 15. The authentication broker for authenticating a user to 

11. An authentication broker for authenticating a user to muluple computer servers within a distributed computing 
multiple computer servers within a distributed computing network according to claim 11, wherein said means for 
network, said authentication broker comprising: issuing a password further includes a means for exchanging 

means for receiving an authentication request from a said Kerberos Ticket Granting Ticket for a third Kerberos 

workstation; 40 Service Ticket and a means for exchanging said third 

means for issuing a Kerberos Ticket Granting Ticket to Kerberos Service Ticket for said password, 
said workstation after a determination that said authen- 
tication request is valid; ***** 
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